Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Odd scan to port 36867

From: "Ben Nagy" <ben () iagu net>
Date: Tue, 16 Nov 2004 10:29:01 +0100
Could be malware activity, or someone scanning for backdoors / botnets. None
of the current big name malware uses that port by default AFAIK, but I guess
there could be variants.

Personally, I'd be interested in seeing more of the logs - there might be
patterns in the source port, IPID etc which often indicate that it's malware
generated. You can send those through to me direct if you don't want to bore
the list.

The TTL is 103 - that means it's odds on that this traffic came from a
Windows system. Default TTL is 64 on most of the unix / linux variants (it
could be VMS, but there are too many unique sources!). If your logs show
other packets with TTL 0<ttl<64 then it's almost certainly scanning activity
not malware, since it's cross platform.

rDNS says this is ip142177185232.mpoweredpc.net so this _particular_ probe
seems to be a home user in Canada - it's a sneaky Canadian, not a sneaky
German.

SANS Dshield is dead right now, but normally I would also check there, to
see if what you're seeing is backed up by a local / global increase. You
could also submit it to the handlers there, they do good Sherlock Holmes
work, if they've got time.

If this is what it looks like (perps scanning for non-standard backdoors)
then it would be good to investigate further. Then again it could just be
nothing, who knows.

Cheers,

ben


-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com 
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of SiegeX
Sent: Monday, November 15, 2004 3:05 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] Odd scan to port 36867

Hi guys, I recently decided to write a simple bash script to 
go through all my iptables logs and see which ports were 
being hit the most. Note that I only logged NEW connections 
to ports that arnt open on my computer.  Here are the top 10 results

495 36867

[...]

Below is a sample from my 
iptables logs so you can see what Im parsing.

Nov 14 10:51:30 maximus possible_hack IN=eth0 OUT= 
MAC=00:60:08:11:9d:86:00:0b:23:68:65:fc:08:00  
SRC=142.177.185.232 DST=X.X.X.X LEN=48 TOS=00 PREC=0x00 
TTL=103 ID=2881 DF PROTO=TCP SPT=62121 DPT=36867 
SEQ=785042995 ACK=0 WINDOW=16384 SYN URGP=0

Just to make sure that this port is not being hit by one or 
two differnt guys, I parsed my logs to see how many unique 
ip's were hitting port 36867 and I came up with 173 unique 
IP's.   

[...]

Ive yet to cross reference the 173 unique IP's 
hitting port 36867 to Maxmind's database, but I have a strong 
feeling that they are comming from Germany.   I hope you guys 
have a better clue whats going on than I do.  Thanks.

-Sean


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: